Method and apparatus for implementing a layer 3/layer 7 firewall in an L2 device

1. An L2 device comprising: at least one port to couple to a terminal unit included in a first security zone; at least one port to couple to a terminal unit included in a second security zone that is distinct from the first security zone; a controller to determine for each packet received from either the first security zone or the second security zone whether the received packet is an inter-zone packet destined for the other of the first security zone or the second security zone; a firewall engine to inspect and filter received inter-zone packets using a zone specific policy; and an L2 switching engine to transfer to a port associated with intra-zone transfer, without inspection by the firewall engine, received intra-zone packets using a table of MAC addresses and corresponding ports, and to transfer to a port associated with inter-zone transfer, inter-zone packets that are retained after the inspection by the firewall engine.

2. An L2 device comprising: a controller to determine for each packet received whether the received packet is to be transferred intra-zone or inter-zone, each zone representing a distinct security domain and having an associated policy for use in inspecting packets entering and exiting an associated zone; a firewall engine to inspect and filter received inter-zone packets using a zone specific policy; and an L2 switching engine operable to: route to an intra-zone port, without the inspection by the firewall engine, received intra-zone packets using a table of MAC addresses and corresponding ports, and route to an inter-zone port inspected inter-zone packets that are retained after the inspection by the firewall engine.

3. An L2 device comprising: a controller to determine for each packet received whether the received packet is to be transferred inter-zone or intra-zone, inter-zone being between a plurality of zones and intra-zone being between a single one of the zones, each zone representing a distinct security domain; and a firewall engine to inspect and filter inter-zone packets using a zone specific policy prior to permitting inter-zone routing using L2 protocols, wherein intra-zone packets are not inspected by the firewall engine.

4. An L2 device comprising: a controller to determine for each packet received whether the received packet is an inter-zone packet that is permitted to be transferred from a first distinct security domain to a second distinct security domain subject to a security inspection or an intra-zone packet that is permitted to be transferred within the first or second distinct security domain without being subjected to a security inspection; and an inspection device to inspect and filter inter-zone packets using a zone specific policy prior to inter-zone routing using L2 protocols.

5. An L2 device comprising: a controller to determine for each packet received whether the received packet is to be inspected against a security policy; an inspection device to inspect and filter only those packets identified by the controller as needing inspection based on a zone specific policy; and an L2 controller to transfer inspected packets from a first security zone to a second security zone in accordance with L2 header information using L2 protocols, and transfer non-inspected packets within the first or second security zones.

6. The device of claim 5 wherein the inspection device is a firewall.

7. The device of claim 5 wherein the inspection device is a layer 3 firewall device.

8. The device of claim 5 wherein the inspection device is a layer 4 firewall device.

9. The device of claim 5 wherein the inspection device is a layer 7 firewall device.

10. The device of claim 5 wherein the inspection device is a firewall that filters based on layer information other than layer 2 header information.

11. The device of claim 5 wherein the controller determines each packet that is to pass between security zones and the inspection device only processes inter-zone traffic.

12. The device of claim 5 wherein the controller determines each packet that is to remain in a single security zone and transfers intra-zone packets to the L2 controller, bypassing the inspection device.

13. The device of claim 12 wherein the device uses a MAC address in the layer 2 header of a given packet to determine an egress port on the device to which the packet is to be transferred.

14. The device of claim 5 further comprising a storage element for storing packets that are to be inspected and an L2 controller transferring packets through the device including determining an egress port for transferring a given packet using a destination MAC address in the given packet and a MAC address table that includes a mapping of MAC addresses and associated egress nodes.

15. The device of claim 14 wherein the memory element includes a first and second portion, the first portion storing packets to be transferred through the device, and the second portion storing packets waiting for inspection.

16. The device of claim 5 wherein the device is an L2 switch.

17. The device of claim 5 wherein the device is an L2 bridge.

18. A method for transferring packets in a communication network, the method comprising: receiving a packet at an L2 device; determining whether the received packet is an intra-zone packet to be transferred within a single zone or an inter-zone packet to be transferred between zones, each zone representing a distinct security domain; inspecting and filtering inter-zone packets using a zone specific policy prior to inter-zone routing of the inter-zone packets using L2 protocols; and routing the ultra-zone packets without being subject to security inspection or filtering.

19. A method for transferring packets in a communication network, the method comprising: receiving a packet at an L2 device; determining whether the received packet is to be inspected against a security policy; inspecting and filtering identified packets using a zone specific policy prior to transferring the packet from a first security zone through the L2 device using L2 protocols to a second security zone distinct from the first security zone; and transferring non-inspected packets either from the first security zone to the first security zone, or from the second security zone to the second security zone.

20. A method for switching packets in a communication network including plural zones, each zone representing a distinct security domain, the method comprising: receiving a packet at an interface of an L2 device; determining if a destination MAC address associated with the received packet is known; and if not, holding the received packet a predetermined amount of time without transferring the packet to any port of the L2 device, creating a probe packet that includes the unknown MAC address, and broadcasting the probe packet to all interfaces except the receiving interface.

21. The method of claim 20 wherein the probe packet includes a time to life (TTL) field in an IP header and the method includes setting a value of the TTL field such that a downstream node having the unknown MAC address and receiving the probe packet will return an expired message to the L2 device.

22. The method of claim 20 further comprising dropping the packet after the expiration of the predetermined amount of time.

23. The method of claim 20 wherein the packet is dropped if the MAC address is unknown.

24. The method of claim 20 further comprising receiving a response from one of the broadcast interfaces and updating a table indicating a previously unknown MAC address is associated with the responding interface.